ec suite_b: Define scalar_mul_mont wrappers in Rust.

Take a step towards eliminating `prefixed_export!` by eliminating one
C user of `bn_mul_mont`.

build.rs

@@ -39,7 +39,6 @@ const RING_SRCS: &[(&[&str], &str)] = &[
     (&[], "crypto/fipsmodule/bn/montgomery.c"),
     (&[], "crypto/fipsmodule/bn/montgomery_inv.c"),
     (&[], "crypto/fipsmodule/ec/ecp_nistz.c"),
-    (&[], "crypto/fipsmodule/ec/gfp_p256.c"),
     (&[], "crypto/fipsmodule/ec/gfp_p384.c"),
     (&[], "crypto/fipsmodule/ec/p256.c"),
     (&[], "crypto/limbs/limbs.c"),
@@ -966,7 +965,6 @@ fn prefix_all_symbols(pp: char, prefix_prefix: &str, prefix: &str) -> String {
         "p384_point_add",
         "p384_point_double",
         "p384_point_mul",
-        "p384_scalar_mul_mont",
         "openssl_poly1305_neon2_addmulmod",
         "openssl_poly1305_neon2_blocks",
         "sha256_block_data_order",

crypto/fipsmodule/ec/gfp_p384.c

@@ -39,16 +39,6 @@ static const BN_ULONG Q[P384_LIMBS] = {
 #endif
 };
 
-static const BN_ULONG N[P384_LIMBS] = {
-#if defined(OPENSSL_64_BIT)
-  0xecec196accc52973, 0x581a0db248b0a77a, 0xc7634d81f4372ddf, 0xffffffffffffffff,
-  0xffffffffffffffff, 0xffffffffffffffff
-#else
-  0xccc52973, 0xecec196a, 0x48b0a77a, 0x581a0db2, 0xf4372ddf, 0xc7634d81,
-  0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff
-#endif
-};
-
 static const BN_ULONG ONE[P384_LIMBS] = {
 #if defined(OPENSSL_64_BIT)
   0xffffffff00000001, 0xffffffff, 1, 0, 0
@@ -71,10 +61,6 @@ static const BN_ULONG Q_N0[] = {
   BN_MONT_CTX_N0(1, 1)
 };
 
-static const BN_ULONG N_N0[] = {
-  BN_MONT_CTX_N0(0x6ed46089, 0xe88fdc45)
-};
-
 /* XXX: MSVC for x86 warns when it fails to inline these functions it should
  * probably inline. */
 #if defined(_MSC_VER) && !defined(__clang__) && defined(OPENSSL_X86)
@@ -212,13 +198,6 @@ void p384_elem_neg(Elem r, const Elem a) {
 }
 
 
-void p384_scalar_mul_mont(ScalarMont r, const ScalarMont a,
-                              const ScalarMont b) {
-  /* XXX: Inefficient. TODO: Add dedicated multiplication routine. */
-  bn_mul_mont(r, a, b, N, N_N0, P384_LIMBS);
-}
-
-
 /* TODO(perf): Optimize this. */
 
 static void p384_point_select_w5(P384_POINT *out,

mk/generate_curves.py

@@ -209,6 +209,8 @@
     p%(bits)d_elem_mul_mont(r, a, a);
 }
 
+mul_mont! { p%(bits)s_scalar_mul_mont(n0: 0x_6ed46089_e88fdc45; modulus: &COMMON_OPS.n) }
+
 prefixed_extern! {
     fn p%(bits)s_elem_mul_mont(
         r: *mut Limb,   // [COMMON_OPS.num_limbs]
@@ -227,12 +229,6 @@
         p_x: *const Limb,      // [COMMON_OPS.num_limbs]
         p_y: *const Limb,      // [COMMON_OPS.num_limbs]
     );
-
-    fn p%(bits)s_scalar_mul_mont(
-        r: *mut Limb,   // [COMMON_OPS.num_limbs]
-        a: *const Limb, // [COMMON_OPS.num_limbs]
-        b: *const Limb, // [COMMON_OPS.num_limbs]
-    );
 }"""
 
 
@@ -323,6 +319,7 @@ def generate_rs(g, out_dir):
         "q_minus_n" : q - n,
         "oneRR_mod_n": rr(n),
         "n_minus_2": n_minus_2,
+        "n_n0": format_n0_rs(n),
     }
 
     out_path = os.path.join(out_dir, "%s.rs" % name)
@@ -359,10 +356,6 @@ def generate_rs(g, out_dir):
 %(q)s
 };
 
-static const BN_ULONG N[P%(bits)d_LIMBS] = {
-%(n)s
-};
-
 static const BN_ULONG ONE[P%(bits)d_LIMBS] = {
 %(q_one)s
 };
@@ -375,10 +368,6 @@ def generate_rs(g, out_dir):
   %(q_n0)s
 };
 
-static const BN_ULONG N_N0[] = {
-  %(n_n0)s
-};
-
 """
 
 # Given a number |x|, return a generator of a sequence |a| such that
@@ -417,12 +406,18 @@ def format_big_int(x, limb_count):
   %s
 #endif""" % (big, small)
 
-def format_n0(p):
+def format_n0_c(p):
     value = modinv(-p, 2**64)
     hi = value // (2**32)
     lo = value % (2**32)
     return "BN_MONT_CTX_N0(%s, %s)" % (format_limb(hi), format_limb(lo))
 
+def format_n0_rs(p):
+    value = modinv(-p, 2**64)
+    hi = value // (2**32)
+    lo = value % (2**32)
+    return "0x_%08x_%08x" % (hi, lo)
+
 def const(value):
     return lambda _limb_bits: value
 
@@ -438,11 +433,9 @@ def generate_c(g, out_dir):
     output = c_template % {
         "bits": q.bit_length(),
         "q" : format_big_int(const(q), big_int_limbs(q)),
-        "q_n0": format_n0(q),
+        "q_n0": format_n0_c(q),
         "q_one" : format_big_int(lambda limb_bits: to_montgomery_value(1, q, limb_bits), big_int_limbs(q)),
         "q_plus_1_shr_1": format_big_int(const((q + 1) >> 1), big_int_limbs(q)),
-        "n" : format_big_int(const(n), big_int_limbs(q)),
-        "n_n0": format_n0(n),
     }
 
     out_path = os.path.join(out_dir, "gfp_%s.c" % name)

src/arithmetic/montgomery.rs

@@ -120,7 +120,7 @@ use crate::{bssl, c, limb::Limb};
 // TODO: Stop calling this from C and un-export it.
 #[allow(deprecated)]
 prefixed_export! {
-    pub(super) unsafe fn bn_mul_mont(
+    pub unsafe fn bn_mul_mont(
         r: *mut Limb,
         a: *const Limb,
         b: *const Limb,
@@ -226,7 +226,7 @@ prefixed_extern! {
 ))]
 prefixed_extern! {
     // `r` and/or 'a' and/or 'b' may alias.
-    pub(super) fn bn_mul_mont(
+    pub fn bn_mul_mont(
         r: *mut Limb,
         a: *const Limb,
         b: *const Limb,

src/ec/suite_b/ops.rs

@@ -687,22 +687,10 @@ mod tests {
         })
     }
 
-    #[test]
-    fn p256_scalar_square_test() {
-        prefixed_extern! {
-            fn p256_scalar_sqr_rep_mont(r: *mut Limb, a: *const Limb, rep: Limb);
-        }
-        scalar_square_test(
-            &p256::SCALAR_OPS,
-            p256_scalar_sqr_rep_mont,
-            test_file!("ops/p256_scalar_square_tests.txt"),
-        );
-    }
-
     // XXX: There's no `p384_scalar_square_test()` because there's no dedicated
     // `p384_scalar_sqr_rep_mont()`.
 
-    fn scalar_square_test(
+    pub(super) fn scalar_square_test(
         ops: &ScalarOps,
         sqr_rep: unsafe extern "C" fn(r: *mut Limb, a: *const Limb, rep: Limb),
         test_file: test::File,
@@ -1154,5 +1142,7 @@ mod tests {
 }
 
 mod elem;
+#[macro_use]
+mod boilerplate;
 pub mod p256;
 pub mod p384;

src/ec/suite_b/ops/boilerplate.rs

@@ -0,0 +1,20 @@
+macro_rules! mul_mont {
+    { $visibility:vis $name:ident(n0: $n0:expr; modulus: $modulus:expr) } => {
+        $visibility unsafe extern "C" fn $name(
+            r: *mut crate::limb::Limb,   // [COMMON_OPS.num_limbs]
+            a: *const crate::limb::Limb, // [COMMON_OPS.num_limbs]
+            b: *const crate::limb::Limb, // [COMMON_OPS.num_limbs]
+        ) {
+            use crate::arithmetic::montgomery::{bn_mul_mont, N0};
+            static N_N0: N0 = N0::precalculated($n0);
+            bn_mul_mont(
+                r,
+                a,
+                b,
+                $modulus.limbs.as_ptr(),
+                &N_N0,
+                COMMON_OPS.num_limbs,
+            )
+        }
+    }
+}

src/ec/suite_b/ops/p256.rs

@@ -307,21 +307,52 @@ prefixed_extern! {
         p_x: *const Limb,      // [COMMON_OPS.num_limbs]
         p_y: *const Limb,      // [COMMON_OPS.num_limbs]
     );
+}
 
-    fn p256_scalar_mul_mont(
-        r: *mut Limb,   // [COMMON_OPS.num_limbs]
-        a: *const Limb, // [COMMON_OPS.num_limbs]
-        b: *const Limb, // [COMMON_OPS.num_limbs]
-    );
-    fn p256_scalar_sqr_rep_mont(
-        r: *mut Limb,   // [COMMON_OPS.num_limbs]
-        a: *const Limb, // [COMMON_OPS.num_limbs]
+#[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))]
+mod scalar_ops {
+    use crate::limb::Limb;
+
+    prefixed_extern! {
+        pub(super) fn p256_scalar_mul_mont(
+            r: *mut Limb,   // [COMMON_OPS.num_limbs]
+            a: *const Limb, // [COMMON_OPS.num_limbs]
+            b: *const Limb, // [COMMON_OPS.num_limbs]
+        );
+        pub(super) fn p256_scalar_sqr_rep_mont(
+            r: *mut Limb,   // [COMMON_OPS.num_limbs]
+            a: *const Limb, // [COMMON_OPS.num_limbs]
+            rep: Limb,
+        );
+    }
+}
+
+#[cfg(not(any(target_arch = "aarch64", target_arch = "x86_64")))]
+mod scalar_ops {
+    use super::COMMON_OPS;
+    use crate::limb::Limb;
+
+    mul_mont! { pub(super) p256_scalar_mul_mont(n0: 0x_ccd1c8aa_ee00bc4f; modulus: &COMMON_OPS.n) }
+
+    pub(super) unsafe extern "C" fn p256_scalar_sqr_rep_mont(
+        r: *mut Limb,
+        a: *const Limb,
         rep: Limb,
-    );
+    ) {
+        debug_assert!(rep >= 1);
+        p256_scalar_mul_mont(r, a, a);
+        for _ in 1..rep {
+            p256_scalar_mul_mont(r, r, r);
+        }
+    }
 }
 
+use scalar_ops::*;
+
 #[cfg(test)]
 mod tests {
+    use super::{super::tests::scalar_square_test, *};
+
     #[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))]
     #[test]
     fn p256_point_mul_base_vartime_test() {
@@ -332,4 +363,13 @@ mod tests {
             test_file!("p256_point_mul_base_tests.txt"),
         );
     }
+
+    #[test]
+    fn p256_scalar_square_test() {
+        scalar_square_test(
+            &p256::SCALAR_OPS,
+            p256_scalar_sqr_rep_mont,
+            test_file!("p256_scalar_square_tests.txt"),
+        );
+    }
 }

src/ec/suite_b/ops/p384.rs

@@ -278,6 +278,8 @@ unsafe extern "C" fn p384_elem_sqr_mont(
     p384_elem_mul_mont(r, a, a);
 }
 
+mul_mont! { p384_scalar_mul_mont(n0: 0x_6ed46089_e88fdc45; modulus: &COMMON_OPS.n) }
+
 prefixed_extern! {
     fn p384_elem_mul_mont(
         r: *mut Limb,   // [COMMON_OPS.num_limbs]
@@ -296,10 +298,4 @@ prefixed_extern! {
         p_x: *const Limb,      // [COMMON_OPS.num_limbs]
         p_y: *const Limb,      // [COMMON_OPS.num_limbs]
     );
-
-    fn p384_scalar_mul_mont(
-        r: *mut Limb,   // [COMMON_OPS.num_limbs]
-        a: *const Limb, // [COMMON_OPS.num_limbs]
-        b: *const Limb, // [COMMON_OPS.num_limbs]
-    );
 }